If so, you’ve probably used eBay, which means you can soon expect an email containing bad news.

The online trading megabrand is the latest to suffer a database breach.

Well, to be more precise, eBay is the latest site to admit to a database breach, which apparently happened about three months ago:

eBay Inc. said beginning later today it will be asking eBay users to change their passwords because of a cyberattack that compromised a database containing encrypted passwords and other non-financial data. [...] The database, which was compromised between late February and early March, included eBay customers' name, encrypted password, email address, physical address, phone number and date of birth.

Actually, it’s slightly worse than that, because it seems that the crooks didn’t just prise loose the database file with some kind of database command injection.

eBay offered a very brief and vague explanation of how the attack happened, writing on its site that:

Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay's corporate network, the company said.

It really does say that: the company said on its blog that the company said that crooks had broken in and wandered around.

Advice for eBay PR flacks: when you’re writing your own blog article where you made a security blunder, avoid the temptation to refer to yourself in the third person.

It wasn’t someone else that let the crooks in, it was you, so write in the first person: it sounds so much more as though you mean it.

Extensive forensic research has shown no evidence of unauthorized access or compromise to personal or financial information for PayPal customers. PayPal customer and financial data is encrypted and stored separately, and PayPal never shares financial information with merchants, including eBay.

Good stuff.

Divide and conquer worked for Julius Caesar, who famously divided his empire in Gaul into three parts in order to be able to control it (OK, to keep it subjugated) more effectively.

Divide and conquer works in computer security, too.

If crooks have to break in to three different places, in three different ways, to be able to stitch together all your corporate data, then their job is tougher.

What to do?

The advice from eBay is to change your password right away, and we concur.

The company isn’t saying how securely it stored your passwords (it just says they were “encrypted,” though it probably means they were salted-and-hashed), so just how safe the stolen password data is against off-line attackers isn’t clear.

And make sure you go for something long and strong, not a dictionary word, a well-known phrase or something easy to guess, like your dog’s name.

It seems a bit sad to say, “Choose a strong password because that way you’ll leave someone else to take the hit,” but it’s true: if you chose your password wisely, other people’s passwords will be cracked first, because the crooks begin with the most likely passwords when they start cracking.

So use the time to get ahead of the password crackers, and update your password now.

39 comments on “eBay becomes the latest online giant to own up to a password breach”

eBay does not make it easy to find how to change your password! After you log in, look for the little triangle-arrow next to your name in the upper left corner. Select Account Settings from the drop-down menu. Then click on Business Information at the top of the left sidebar. “Password” will be on the list that appears. Click the pencil icon next to it. SHEESH that took way too long to find.

I changed my eBay password this morning. Then I tried to log out. Maybe my eyesight is failing, but I couldn’t find a logout button or link. Is there one? Or does eBay expect us to logout by closing the browser.

They KNEW about this for 3 MONTHS before alerting their users? I just checked and the alert they sent out only just today,makes it sound like they just found out. This makes me angry! Companies need to alert their customers RIGHT AWAY when something like this happens.

Reading between the lines (and that’s another problem with many breach notices – they leave you to do just that), it sounds as though:

1. They were breached back then, but took three months (minus a couple of weeks) to *realise*.

2. After realising, it took a couple of weeks to work out what actually (or probably) happened with any sort of certainty.

I think that being breached, knowing, and not telling would be morally worse that being breached and not realising. But in practical security terms, being breached and not realising is worse, because you can’t even take secret/silent precautions if you don’t even know.

I think a couple of weeks is a reasonable “quiet period” if you really were caught unawares…time to close holes before letting everyone know, including other crooks, time to get law enforcement involved, and more.

Haven’t seen any mention yet anywhere about whether security question and answers were divulged and/or encrypted. That’s almost worse these days, as I think many people use the same question/answer combos. (I might…and I hate the situation of it…)

i’ve tried 6 times to change my password, no success, fill in first line get ‘strong’ try to confirm get ‘no white spaces allowed’ about to give up. I’m very angry that my details could have been hacked!

I have two separate eBay accounts (for different purposes), so I had to change two passwords. In both cases, the browser displayed the following message:

“Sorry! We’re currently experiencing technical difficulties and are unable to complete the process at this time”

In both cases, shortly thereafter I received an email message confirming that my password had been successfully changed. The email was correct. I tried logging in to both accounts with the new passwords and it worked.

The fact that so much personal information was potentially exposed to ne’er-do-wells is already bad enough. The display of the bogus “technical difficulties” message doesn’t help.

I suppose that if there are, what, 145,000,000 accounts affected, as I think I read somewhere, there are a lot of people using the password change feature at the same. And the backend to that probably isn’t part of a huge CDN (content delivery network), cached and distributed around the globe…for security reasons, and because, usually, only a small number of people are changing their passwords at any time.

Sort of like how in many countries, renewing a still-valid passport is fairly easy but replacing a lost or stolen one requires a fair bit of queuing because it’s a more unusual sort of request with bigger security implications.

How can a company like eBay restrict the password length to 20 characters – what sort of ridiculous stupidity is that! The change password form doesn’t explicitly say that but the field has a maxlength of 20. How can they seriously expect people to believe that they take our security seriously when we can’t use long passwords – added to which does that mean they are using encryption as opposed to hashes like Adobe all over again?

Not only do they have a max length of 20, they also can’t include spaces (and I’m not sure what else). And it appears that all you have to do to claim an ebay account is have access to the email address that created the account (you can enter in the address for “forgot password” and then use the delivered link to create a new password — no secret question etc. needed).

So if your email account is ever compromised, make sure you check that among other things, the attacker hasn’t used your email account to gain control of your ebay account.

The Heartbleed fix seems to be _after_ this attack started but _before_ it was discovered and (we assume) the hole closed off. If you have formed the opinion that the crooks definitely didn’t come back into eBay’s network after their first infiltration (but before they were locked out for sure), then…I guess it isn’t necessary to change your password again.

Well, you need to consider “R0ver!” (which meets the rules) as pretty much equivalent to “rover” (which is a short dog’s name you can find in a dictionary :-), because password crackers apply that sort of leet-speak subsitution as matter of course.

As a matter of fact, they’re not that strict – Although it states passwords should contain those various types of characters, it still lets you create weaker ones. My new password created this morning has no upper case characters … but it does have lowercase, symbols and numbers.

As of this morning (May 22), I have still not received a notice from Ebay or Paypal asking me to change my passwords. I did so on my own accord after reading about it in the news yesterday. I was also the first one to alert my friends and family about it because they dont usually read the news everyday.

I spoke with eBay this morning, and after my gentle rant received this reply a couple hours later:

eBay sent this message to [unameRedacted]. Your registered name is included to show this message came from eBay.

Learn more about how to tell if an email is really from eBay:
–pages.ebay.com/help/account/recognizing-spoof.html
_____________________________________________

Dear [unameRedacted],
Thank you for calling in today. We appreciate you being an active member of our community. I was able to receive some information on your question about passwords and if they were hashed. Here is that information:

Q: What encryption techniques do you use ?

A: We store encrypted passwords that have been hashed and salted. We have no evidence that the encryption on passwords has been broken and we have seen no spike in fraudulent activity on the site.
I hope this helps answer your question.
Sincerely,Trudy S.
eBay

So, the passwords are hashed, then salted, then encrypted? (In that order?)

You think they’d have got someone technical to write, in simple, clear technical English, just what password storage they use. For example, “We use PBKDF2 with a 16-byte random salt, 16000 iterations and a hash of HMAC-with-SHA256.” If you aren’t a techie you can ignore the detail; if you are, you really want/need to know.

I have not been contacted but I thought I would change my password anyway. So I loaded up KeyPass, generated a shiny, brand new password and then found that I could no longer copy and paste it into the New Password entry field. Evidently eBay and PayPal have made this change to improve user security (?).

This was the password (now junked of course) +4+¹âfêGL¡µÒùIrbúfúi×2E. So can anyone please tell me how I enter that from the keyboard and secondly, how does this improve user security?

My guess is that non-7-bit ascii characters are not accepted by eBay; they definitely don’t accept spaces. As for entering that from the keyboard, there are a few techniques. First is that there is software that will “paste” your clipboard by typing it. Second: if you’re on Windows, you can use alt-keypad combinations to enter each character’s code. If you’re on a Mac, you can use the character picker to click the characters you want to use. On KDE and Gnome you can use the Character Map tool.

Thank you Andrew. Strangely I did receive an email from eBay and when I followe dthe link I was able to do a copy and paste. Maybe they got the message. I had forgotten about the Alt-codes. Takes me back to creating forms in Superwrite and Supercalc so, so long ago.

Called ebay to change password and they wanted my aol acoount which I haven’t used in 15 years..ugh.. Of course I don’t remember it, but they said they couldn’t help without it.. I don’t want to create a new account!!! Any suggestions? ??

I cant not believe they have not resolved this issues after a few months. i can not login, i can not reset my password, i just can not access ebay in any shape or form. They must be loosing tons of money. I guess ill have to shop elsewhere from now on. 😦